replacing one dependency in the chain

ghazel's Avatar

ghazel

27 Jan, 2010 11:32 AM

I'm trying to use a gem called "foo". However, "foo" depends on a gem called "bar", which has a bug. So I uninstalled "bar", forked it on github and fixed the bug, then pushed "ghazel-bar" to gemcutter. Now I can install "ghazel-bar" and it works great. However, when I try to use "foo", it says:
Gem::LoadError: Could not find RubyGem bar (>= 0.1.0)

How do I tell "foo" that "ghazel-bar" satisfies that requirement? Do I have to maintain a fork of every gem which depends on "bar" and rewrite it to use "ghazel-bar" instead? That could become quite time-consuming, and is a bunch of changes which would never be accepted upstream and should be ditched as soon as the "bar" maintainer accepts my pull request (if ever!)

Thoughts?

  1. Support Staff 1 Posted by Eric Hodel on 28 Jan, 2010 11:33 PM

    Eric Hodel's Avatar

    This is a hard problem to solve, if dependency substitution is allowed there's no way to protect against accidentally using malicious code. A malicious author could upload a library that satisfies or even overrides the dependency.

    We've discussed this numerous times on the RubyGems mailing list, but have yet to come up with a good solution that solves this problem that we can implement. You're welcome to discuss this further on the mailing list if you have an ideas.

  2. Eric Hodel closed this discussion on 28 Jan, 2010 11:33 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac